93b91360c51ab11e9ba349cfa48fdf44a356c2c28bd9d988a500c98e29dd0b40

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 23:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
Size

384KB
MD5

2714dcb562108786d363129ba91aaeb2
SHA1

fbe0353bc336d0e6645ea543113dc626c6d69818
SHA256

93b91360c51ab11e9ba349cfa48fdf44a356c2c28bd9d988a500c98e29dd0b40
SHA512

ad2bdbd6ff19388ec2f8c9e233948b8f71998a6f1cd82d3cf79fef011dee3c97c7789db27aed93b3f20d7703d9eb94900a04727be2ac8922aee37b0c4b0041db
SSDEEP

6144:CGJQSv0GhSHcF8BYmZROmg2WoitHdy+n0wCdSz/lhUl2YLNSxEVXq3tu0bpO9w4Y:Ci0GhgcF8B5ZROthZ/EJaCX90lOi4zUH

Score

10^/10

defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\Recovery+mjcko.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/3C485425A0CF3EF6 2. http://b4youfred5485jgsa3453f.italazudda.com/3C485425A0CF3EF6 3. http://5rport45vcdef345adfkksawe.bematvocal.at/3C485425A0CF3EF6 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/3C485425A0CF3EF6 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/3C485425A0CF3EF6 http://b4youfred5485jgsa3453f.italazudda.com/3C485425A0CF3EF6 http://5rport45vcdef345adfkksawe.bematvocal.at/3C485425A0CF3EF6 *-*-* Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/3C485425A0CF3EF6 *-*-* Your personal identification ID: 3C485425A0CF3EF6

URLs

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/3C485425A0CF3EF6

http://b4youfred5485jgsa3453f.italazudda.com/3C485425A0CF3EF6

http://5rport45vcdef345adfkksawe.bematvocal.at/3C485425A0CF3EF6

http://fwgrhsao3aoml7ej.onion/3C485425A0CF3EF6

http://fwgrhsao3aoml7ej.ONION/3C485425A0CF3EF6

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (876) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	ltvoaislmjan.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+mjcko.png	ltvoaislmjan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+mjcko.html	ltvoaislmjan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+mjcko.png	ltvoaislmjan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+mjcko.html	ltvoaislmjan.exe

Executes dropped EXE 2 IoCs

pid	Process
3036	ltvoaislmjan.exe
3808	ltvoaislmjan.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rsbiuukkwsba = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\ltvoaislmjan.exe\""	ltvoaislmjan.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4600 set thread context of 3892	4600	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	90
PID 3036 set thread context of 3808	3036	ltvoaislmjan.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\Recovery+mjcko.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-48_altform-unplated_contrast-black.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Recovery+mjcko.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-400.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\Recovery+mjcko.html	ltvoaislmjan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-20_altform-unplated.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\Recovery+mjcko.html	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+mjcko.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+mjcko.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\Recovery+mjcko.html	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-20.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-24_altform-unplated.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\messaging\bookmark_empty_state.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-150.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-250.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-30_altform-unplated.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-200.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-48.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-lightunplated.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-125.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\Recovery+mjcko.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCache.scale-150.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ko.pak	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-100.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-16.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\capture\Recovery+mjcko.html	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-400_contrast-white.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\Windows Sidebar\Recovery+mjcko.html	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker33.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-200.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\Recovery+mjcko.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ro-RO\Recovery+mjcko.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-80_altform-lightunplated.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\Recovery+mjcko.html	ltvoaislmjan.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\175.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\Recovery+mjcko.txt	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageAppList.scale-100.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-256.png	ltvoaislmjan.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-32_altform-unplated.png	ltvoaislmjan.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ltvoaislmjan.exe	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
File created	C:\Windows\ltvoaislmjan.exe	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ltvoaislmjan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ltvoaislmjan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	ltvoaislmjan.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2584	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe
3808	ltvoaislmjan.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	3892	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
Token: SeDebugPrivilege	3808	ltvoaislmjan.exe
Token: SeIncreaseQuotaPrivilege	3856	WMIC.exe
Token: SeSecurityPrivilege	3856	WMIC.exe
Token: SeTakeOwnershipPrivilege	3856	WMIC.exe
Token: SeLoadDriverPrivilege	3856	WMIC.exe
Token: SeSystemProfilePrivilege	3856	WMIC.exe
Token: SeSystemtimePrivilege	3856	WMIC.exe
Token: SeProfSingleProcessPrivilege	3856	WMIC.exe
Token: SeIncBasePriorityPrivilege	3856	WMIC.exe
Token: SeCreatePagefilePrivilege	3856	WMIC.exe
Token: SeBackupPrivilege	3856	WMIC.exe
Token: SeRestorePrivilege	3856	WMIC.exe
Token: SeShutdownPrivilege	3856	WMIC.exe
Token: SeDebugPrivilege	3856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3856	WMIC.exe
Token: SeRemoteShutdownPrivilege	3856	WMIC.exe
Token: SeUndockPrivilege	3856	WMIC.exe
Token: SeManageVolumePrivilege	3856	WMIC.exe
Token: 33	3856	WMIC.exe
Token: 34	3856	WMIC.exe
Token: 35	3856	WMIC.exe
Token: 36	3856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3856	WMIC.exe
Token: SeSecurityPrivilege	3856	WMIC.exe
Token: SeTakeOwnershipPrivilege	3856	WMIC.exe
Token: SeLoadDriverPrivilege	3856	WMIC.exe
Token: SeSystemProfilePrivilege	3856	WMIC.exe
Token: SeSystemtimePrivilege	3856	WMIC.exe
Token: SeProfSingleProcessPrivilege	3856	WMIC.exe
Token: SeIncBasePriorityPrivilege	3856	WMIC.exe
Token: SeCreatePagefilePrivilege	3856	WMIC.exe
Token: SeBackupPrivilege	3856	WMIC.exe
Token: SeRestorePrivilege	3856	WMIC.exe
Token: SeShutdownPrivilege	3856	WMIC.exe
Token: SeDebugPrivilege	3856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3856	WMIC.exe
Token: SeRemoteShutdownPrivilege	3856	WMIC.exe
Token: SeUndockPrivilege	3856	WMIC.exe
Token: SeManageVolumePrivilege	3856	WMIC.exe
Token: 33	3856	WMIC.exe
Token: 34	3856	WMIC.exe
Token: 35	3856	WMIC.exe
Token: 36	3856	WMIC.exe
Token: SeBackupPrivilege	1368	vssvc.exe
Token: SeRestorePrivilege	1368	vssvc.exe
Token: SeAuditPrivilege	1368	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4600	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
3036	ltvoaislmjan.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 3892	4600	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	90
PID 4600 wrote to memory of 3892	4600	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	90
PID 4600 wrote to memory of 3892	4600	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	90
PID 4600 wrote to memory of 3892	4600	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	90
PID 4600 wrote to memory of 3892	4600	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	90
PID 4600 wrote to memory of 3892	4600	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	90
PID 4600 wrote to memory of 3892	4600	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	90
PID 4600 wrote to memory of 3892	4600	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	90
PID 4600 wrote to memory of 3892	4600	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	90
PID 4600 wrote to memory of 3892	4600	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	90
PID 3892 wrote to memory of 3036	3892	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	91
PID 3892 wrote to memory of 3036	3892	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	91
PID 3892 wrote to memory of 3036	3892	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	91
PID 3892 wrote to memory of 2820	3892	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	92
PID 3892 wrote to memory of 2820	3892	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	92
PID 3892 wrote to memory of 2820	3892	2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe	92
PID 3036 wrote to memory of 3808	3036	ltvoaislmjan.exe	95
PID 3036 wrote to memory of 3808	3036	ltvoaislmjan.exe	95
PID 3036 wrote to memory of 3808	3036	ltvoaislmjan.exe	95
PID 3036 wrote to memory of 3808	3036	ltvoaislmjan.exe	95
PID 3036 wrote to memory of 3808	3036	ltvoaislmjan.exe	95
PID 3036 wrote to memory of 3808	3036	ltvoaislmjan.exe	95
PID 3036 wrote to memory of 3808	3036	ltvoaislmjan.exe	95
PID 3036 wrote to memory of 3808	3036	ltvoaislmjan.exe	95
PID 3036 wrote to memory of 3808	3036	ltvoaislmjan.exe	95
PID 3036 wrote to memory of 3808	3036	ltvoaislmjan.exe	95
PID 3808 wrote to memory of 3856	3808	ltvoaislmjan.exe	96
PID 3808 wrote to memory of 3856	3808	ltvoaislmjan.exe	96
PID 3808 wrote to memory of 2584	3808	ltvoaislmjan.exe	102
PID 3808 wrote to memory of 2584	3808	ltvoaislmjan.exe	102
PID 3808 wrote to memory of 2584	3808	ltvoaislmjan.exe	102
PID 3808 wrote to memory of 3828	3808	ltvoaislmjan.exe	103
PID 3808 wrote to memory of 3828	3808	ltvoaislmjan.exe	103
PID 3828 wrote to memory of 2732	3828	msedge.exe	104
PID 3828 wrote to memory of 2732	3828	msedge.exe	104
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105
PID 3828 wrote to memory of 4200	3828	msedge.exe	105

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ltvoaislmjan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ltvoaislmjan.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Local\Temp\2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2714dcb562108786d363129ba91aaeb2_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\ltvoaislmjan.exe
    C:\Windows\ltvoaislmjan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\ltvoaislmjan.exe
      C:\Windows\ltvoaislmjan.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3808
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
        5⤵
        System Location Discovery: System Language Discovery
        Opens file in notepad (likely ransom note)
        
        PID:2584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3828
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb670746f8,0x7ffb67074708,0x7ffb67074718
        6⤵
        
        PID:2732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,1668116933637596883,2973966922072850959,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
        6⤵
        
        PID:4200
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,1668116933637596883,2973966922072850959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
        6⤵
        
        PID:4908
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,1668116933637596883,2973966922072850959,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1912 /prefetch:8
        6⤵
        
        PID:5012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1668116933637596883,2973966922072850959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        6⤵
        
        PID:4668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1668116933637596883,2973966922072850959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
        6⤵
        
        PID:1764
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,1668116933637596883,2973966922072850959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
        6⤵
        
        PID:2996
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,1668116933637596883,2973966922072850959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
        6⤵
        
        PID:3964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1668116933637596883,2973966922072850959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
        6⤵
        
        PID:4972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1668116933637596883,2973966922072850959,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
        6⤵
        
        PID:4752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1668116933637596883,2973966922072850959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
        6⤵
        
        PID:3872
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1668116933637596883,2973966922072850959,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        6⤵
        
        PID:5108
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\LTVOAI~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2714DC~1.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\Recovery+mjcko.html

Filesize
9KB

MD5
5ce080c54fb7fc1a533b44e757ca4e07

SHA1
4abc7ada30bf3d977ce641a4cfbd7a9b93fd0a27

SHA256
f091f24305a95b017ada80c89e8f65cb347c74b0f15cb1698307525df808309e

SHA512
46309d90f214e4c7a66a0d470ee25682bbc6a7785dafdd0a3fa3795f4e2cf4223f72a52758783630eaee81c301e62e9e3d62400c5236101d1f59cef1c00d1c35

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+mjcko.png

Filesize
68KB

MD5
a5a052868a538d0dbb9e9a131793719a

SHA1
413ea91123683f2f9d6d06b9c76f55052af5a786

SHA256
262cc48a9e5889b766ff8f30f3e2f06db20b9e643ec31c2c1f270d1965cfb988

SHA512
a3529b82e41c634c2b098bb2c9b654645f3e8d681944c3cb74aaf3b44b523a6ff8ede8ba231d2f1cf0ff65f44dcd1dc0a402fe573ac976e72ecfb5b823d4dd95

Download Submit
C:\Program Files\7-Zip\Lang\Recovery+mjcko.txt

Filesize
2KB

MD5
3256fc2b292ce1b17bda911037b2cf8a

SHA1
14b4eb9e3874ff2fa6437d8cae698499edc30d50

SHA256
a285c00891c1bcc14f89c2cc2e72d6ea8ad2b2be86348fbac8e3ed1847b9b3d4

SHA512
a76ddd94fa47f63a2d8b35f0b2149df6e958b4bd39e3719cb4cf2e0ce84f8924e61e92888bd9ebca4a52ad67ea676e20a2384331021028d59aed2785f431b148

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
560B

MD5
8365c629b8d5b482e0e992ee0e91d054

SHA1
49cb84716e2fd7b2ccec33ed8bdcccbc71cdcc3a

SHA256
5dae56da0143bcd1c085cff5e384cf92e9c8c20edc4664a7d69f666a1d0fa758

SHA512
b73078dbdda51c300fa552d27b137f836d291981223adbb4fea86ca0b8be7434f600d25a03b868c16712c3ccceee9b81bd346962fde72f9194065a94439e7c1b

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
560B

MD5
e4c20ad783ef3901e065c3a84da70eaf

SHA1
4a244342cd89b0a9480a6a8ec1473e7d776d6130

SHA256
5936242e3c2c48aafd3f911ac5707849017faa006c9251cb78a4f101eb0de98e

SHA512
ce3393c333c7dec00b1c416e8ec618a666110f122787eb9d91dd5a8fd7b3368edfd55addae91d34560615b9368a73c661f125a6ac5e512b2ffa46df1b1df9072

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
416B

MD5
077b2bf0fd00c28828dee710b09a6529

SHA1
f2821632f1042c733cb6aa6373ce4bf6ac5ea1bc

SHA256
b4a7a4dc2bd05bcd9f45b2ddb8bd2210954e3dafe99671e6181bb380a0ada3d9

SHA512
a775e381168d611ae04a2cce12d7c8ceffa42148f2865afa6895ed4c623bb6c617328e30700972779d0fe009540fd0b7e2183cb0154e217af9e20fdca4fbc28f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4029e82a5bc463a2a6653d0c70de6861

SHA1
885fd7822f73fcb96de33d6a3412c296514986c1

SHA256
4ae564dfbed02bae58abfcd877ed3fc0443f074ea755b93e44535b45c85d4584

SHA512
f7f3ee5b59ba314747ba718c93e4493b1a6e4d94caf381efcc199246077a4f82f2c68ea009823f04635e9362064759ada95d29b52c58550361e97a4fe1a96f70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3d1115440bc1fe5510f33bbaa46488d5

SHA1
b849899a264525ff6104dc708163db84a140eb49

SHA256
77e5a323312f3d63348d6bc9a88e4fb68a5d4755e217044c795e1a99dcdab643

SHA512
8815f2eddd5ab53791574de04b7317d48876e1a4590db0153cc2ff1c4ffb82829a12abd129bf39a7f706e38d8ca30d8eda2d293b2fcc6597636960e6e0301a17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
75320f61cb376397fde377f5b1c9dddf

SHA1
2eb9d9099acfe763fe53c9927741b60bae5d7626

SHA256
870ec345af432561f32a6b8feecb28211a4c5a57f6187081f5c482cdfe95b613

SHA512
1a43584b908df455a5ace2b811852e32fa8d346a0268e38c13b1d517305df1d7fb8a1b209cf3fbe7856d73ac9d26475c33cccaf7410d95c8e0e7dc6017da61fc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662192103813.txt

Filesize
77KB

MD5
46d5aa7c42d16cbaa18f0edc0ecaf0a9

SHA1
a29dcb7566963ab8bb02027c8f988925e7ae3a78

SHA256
2998c60a716bffce41a22989267f1e4813820e2ee4c901941aa602edb25843be

SHA512
8afce9ed0b3607c6f0ce65701e41d7db70ae00da98ef435d7993df5b53050c9d1c1774d3195391c770aa2caa65fe4d619bb6e9e773e01f4a48e5d5eb5e4231fb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663401899668.txt

Filesize
47KB

MD5
f99ce136feb5c5069f0c9a3e20134307

SHA1
212519892bb9d30660cbe597b8df8140cb93bd46

SHA256
34eca609702c92ead63d2f61d70b7960b17ae820dbfa2b8b65663a89c734dd0d

SHA512
170876f6031c716f9fa6b3b3125ebcf2c621b64c6f717094b0e1cbde649d78fd0e4a3fd65ca69705ef1b286112113d744f4e96b1a197bf1312349d6b5cb877c2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670771168387.txt

Filesize
74KB

MD5
606cfe6e245091cadfe8198cc560a909

SHA1
f9b7866184794f75ae01ee70765e4be8fcc58147

SHA256
71d92f99399a63dc689e7a043af37072bdb6af0a8f763ac01eac806616997d33

SHA512
43a99d16df8239df631086aac0f6f8733678c1f14d41cd3486a67f89572cb9226aad571659142b9a589d0299466f3cbe603802b5e30b364a87ff2db8387963f3

Download Submit
C:\Windows\ltvoaislmjan.exe

Filesize
384KB

MD5
2714dcb562108786d363129ba91aaeb2

SHA1
fbe0353bc336d0e6645ea543113dc626c6d69818

SHA256
93b91360c51ab11e9ba349cfa48fdf44a356c2c28bd9d988a500c98e29dd0b40

SHA512
ad2bdbd6ff19388ec2f8c9e233948b8f71998a6f1cd82d3cf79fef011dee3c97c7789db27aed93b3f20d7703d9eb94900a04727be2ac8922aee37b0c4b0041db

Download Submit
memory/3036-12-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/3036-19-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/3808-421-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3808-8795-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3808-25-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3808-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3808-21-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3808-2642-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3808-2641-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3808-5379-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3808-20-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3808-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3808-17-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3808-10810-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3808-10763-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3808-10764-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3808-10771-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3892-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3892-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3892-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3892-3-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3892-2-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4600-4-0x0000000002660000-0x0000000002663000-memory.dmp

Filesize
12KB

Download
memory/4600-0-0x0000000002660000-0x0000000002663000-memory.dmp

Filesize
12KB

Download
memory/4600-1-0x0000000002660000-0x0000000002663000-memory.dmp

Filesize
12KB

Download